Chapter 2: Installation and Deployment
Published: February 28, 2008
The External Collaboration Toolkit for SharePoint (ECTS) uses Active Directory Application Mode (ADAM), Microsoft SQL Server®, Windows SharePoint Services 3.0, and custom software to provide collaboration services. This chapter describes how to install the ECTS and the software it requires.
Note This chapter describes how to install the ECTS software on a single server running Windows SharePoint Services 3.0 to minimize the number of servers required to make this environment functional. If you want to install the ECTS on more than one server, or to install it in a Microsoft Office SharePoint Server 2007 environment, see Appendix A, “Installing in Larger Environments,” before beginning this installation process.
The process of installing the ECTS is relatively straightforward. The installation process generally involves the following steps:
Prepare the Environment
To simplify the installation process, you can make certain decisions in advance and gather information that you will need when you install the solution. In addition, ensure that your environment meets the solution prerequisites and complete a few pre-installation steps, which include installing a certification authority and setting up DNS aliases.
There are a number of decisions that you can make before you begin that will help streamline the installation process. Record the decisions you make about the following items before you begin installing:
Appendix B, “Required Data for Installation,” of this document provides a form that you can use to record the required data that you will use during the installation process.
Before you begin to install the solution, ensure that you:
Before you can install and set up the solution, you must first prepare the environment. This process involves the following steps.
Install Certification Authority (Optional)
To function properly, the ECTS requires that all communication between the SharePoint Web server and ADAM be encrypted. This means that the server that hosts ADAM needs a certificate. You can either get a certificate through an external certification authority (CA) or use the Microsoft CA.
If you choose to use the Microsoft CA, you must set it up on one of your domain controllers. The software installation process is very simple. On the domain controller, in Control Panel, double-click Add or Remove Programs, then click Add/Remove Windows Components. Select the Certificate Services check box, click Next, and then choose to create an Enterprise Root CA. Provide a common name, then select the defaults for the rest of the installation. When you are done, you will have a CA that can be used to issue certificates in your organization. For more information, see Installing and configuring a certification authority.
Set Up DNS Aliases
Your servers will need to have DNS entries both internally and externally. We suggest using an alias for your internal DNS name for the collaboration environment rather than the actual host name of the extranet server. This allows you to move the collaboration environment to a different server or to deploy load balancing in the future with a minimum of disruption to your environment. Use the DNS manager to create an alias (CNAME) for your internal URL, which you recorded with your Required Data. The alias should point to the host record for the extranet server.
You also need to have your external DNS provider create an A or CNAME record that external users can use to access the extranet server. Consult with your external DNS provider to set this up.
Note For testing purposes, both the internal and external host names can be added to your HOSTS file.
Install Certificate and Update Key File Permissions
As mentioned previously, you must have a certificate installed on your ADAM server for the ECTS to function properly. This is because the ECTS connects to the ADAM server over an SSL-encrypted Lightweight Directory Access Protocol (LDAP) connection. Therefore, you must install a certificate on the ADAM server.
If you are using your own Microsoft CA, follow these instructions to get a certificate for the ADAM server. If your certificate comes from another channel, follow the instructions provided by that source.
First, you may need to modify your firewall rules to allow HTTP (port 80) traffic from the extranet server to the CA server inside your organization. This traffic is only required to get the certificate; after you have obtained the certificate, you can disable this communication.
From the extranet server, use Microsoft Internet Explorer® to access the certification service on the domain controller at http://domain_controller/certsrv, where domain_controller is the name of the domain controller running the certification authority.
To install a certificate on the extranet server:
At this point you can update your firewall rules to disallow HTTP communication between the extranet server and the CA server; it will no longer necessary.
To verify that the certificate was installed, you can use Microsoft Management Console (MMC) with the Certificates snap-in to look at the local computer certificates. Expand Certificates, expand Personal, and expand Certificates to find the certificate you just installed. Or you can run certutil ‑store my from the command line to see the certificate.
Update Permissions on the Certificate File
Unfortunately, the certificate that gets installed cannot be accessed by the ADAM server until you complete one more step. You must change the file system permissions on the certificate file so that the ADAM server can read it. To do so, access the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder. One of the keys in this folder will be the key you just installed. Check the time stamp to find the appropriate key, or you can use the certutil ‑store my command to help locate the appropriate key (the key container is the file name of the key file).
To update permissions on the certificate:
ADAM will now be able to read the key file and use the certificate.
Install Required Software
Now that you have prepared the environment, it is time to install the software on the extranet server. We recommend that you log on to the server as the local administrator before installing the software packages.
Install Internet Information Services (IIS)
First, click Start, point to Administrative Tools, and then click Configure Your Server Wizard to make sure that the server is set up as an Application Server. Follow the instructions to install IIS. When asked, select the check box to enable ASP.NET. You may need your Windows Server 2003 installation disk to complete this step.
Install .NET Framework 3.0
Next, ensure that .NET Framework 3.0 is installed. If it is not already present on the server, download it from the Microsoft Download Center and install it, or select .NET Framework 3.0 in the Recommended Updates section of the Windows Update site. You may be required to restart the computer after the installation is complete.
Next, you will need to install ADAM on the extranet server. ADAM should be available on your server in Add or Remove Programs under Windows Components (look under Active Directory Services), or you can get the latest version on the Microsoft Download Center. Follow the instructions and accept all the defaults for the ADAM installation. Do not create an ADAM instance at this point; you will do so later in the setup process.
Install SQL Server
Next, install SQL Server on the extranet server. You can use any version of SQL Server 2005. If you do not need advanced features, you can use SQL Server 2005 Express Edition. You can get SQL Server Express Edition from the Microsoft Download Center. Choose all the defaults for the installation. Do not create any databases at this time; you will do so later in the setup process.
Install Windows SharePoint Services
Finally, you are ready to install Windows SharePoint Services 3.0. When asked, choose the Basic installation. When you are asked if you would like to run the SharePoint Products and Technologies Configuration Wizard, clear the check box to ensure that this wizard does not run. You will set up SharePoint manually.
Important If you run the Configuration Wizard, many of the steps that follow will not work.
Configure Windows SharePoint Services
Now that all the software is installed, it is time to start configuring Windows SharePoint Services for the ECTS.
To process to configure Windows SharePoint Services involves the following steps:
Set Up SharePoint Database and SharePoint Central Administration
First, you need to set up the SQL Server database for Windows SharePoint Services and create the Central Administration site. Earlier you chose not to have the wizard do this so that you could use your own SQL Server rather than the embedded SQL Server that comes with Windows SharePoint Services 3.0.
To begin the setup process, open a Command Prompt window and change to the SharePoint bin directory:
cd “%CommonProgramFiles%\microsoft shared\web server extensions\12\bin”
From there, run the following command: psconfig ‑cmd configdb ‑create ‑server SQL Server where SQL Server is the name of the SQL Server you created earlier (for example, TREY-SP-01\SQLEXPRESS). This will create the SharePoint configuration databases that Windows SharePoint Services will use.
Next, you need to create the Central Administration server. To do so, use the following command: psconfig ‑cmd adminvs ‑provision ‑port port where port is the port number for the Central Administration server that you recorded with your Required Data.
Set Up E‑mail
Now that you have created the Central Administration server, you can use it to complete the configuration of Windows SharePoint Services. To access the server, click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration, or use Internet Explorer to access http://host name:port where host name is the host name of the extranet server and port is the port number for the Central Administration server that you recorded with your Required Data. The first thing to configure inside Windows SharePoint Services is outgoing e‑mail.
To configure outgoing e‑mail:
At this point, SharePoint should be able to send e‑mail to internal and external users.
Create a Collaboration Site
Next, create the base site for the extranet collaboration environment. This is the site where users will create new collaboration sites, and where administrators will approve requests, manage users, and so on.
To create a collaboration site:
Eventually an Application Created page will display.
Extend the Collaboration Site
The site you just created has an internal URL that internal users can access. Now you must extend this site to an external URL that people outside your firewall can access.
To extend the Web application to the extranet zone:
When the process completes, the Application Management page will appear.
Create a Site Collection
So far, you have created a SharePoint Web application, but you have not created any content for it. By creating a site collection, you put some content in the Web application.
To create a site collection for the Web application you just created:
The system will run for a while then display a Top-Level Site Successfully Created message. You should now be able to access your new collaboration site. You can verify that the site was created by clicking the URL on the page.
Set Up Forms-based Authentication
Finally, you need to turn on forms-based authentication for the extranet zone. This will allow your external users to log on with a familiar forms-based logon page.
To set up forms-based authentication:
When the Authentication Providers page displays and shows ADAMUser in the Extranet Membership Provider Name field, you have completed setup of the SharePoint environment. You are now ready to install the ECTS.
With forms-based authentication, client integration is disabled by default. The main impact of having client integration disabled is that documents cannot be saved directly to the SharePoint site from within a client application. Instead, the user must save the document locally then upload it to the site.
There might be workarounds available that you could use to make some client integration features work with forms-based authentication. However, these workarounds might be inadequate, or you may experience unexpected issues with them. Microsoft does not support such workarounds. If you plan to use client integration with forms-based authentication, you must fully test any solutions or workarounds to determine if the performance and functionality are acceptable in your environment.
For more information about forms-based authentication and client integration, see Configure forms-based authentication (Office SharePoint Server).
The External Collaboration Toolkit for SharePoint is distributed as a Windows Installer package (MSI) that contains the setup utilities and binaries for the solution. Running this MSI (called ECTS.msi) copies these files to your system, but does not automatically install or configure the software.
After the software is installed, you have two options for setting up the software: to use the Setup Wizard or run the installation scripts manually. This section describes both methods.
Whichever method you choose, the first step is to install the ECTS.msi on the extranet server. To do this, log on to the extranet server as the local administrator, then either double-click the ECTS.msi file, or run msiexec ‑i ects.msi from the command line. By default, this will copy all the necessary files into a folder called External Collaboration Toolkit under My Documents. The installer will give you the option to select which features you want to install on the server. You should generally install all the features. After you copy the binaries to the extranet server, you still must set up the ADAM user store for external users, configure SQL Server, and install the SharePoint extensions. You can either use the Setup Wizard to perform these tasks, or do them manually.
Use the ECTS Setup Wizard
The ECTS Setup Wizard simplifies ECTS setup. The Setup Wizard walks you through the process to gather the information required for setup, then configures ADAM, SQL Server, and Windows SharePoint Services as needed to enable the solution. You will need much of the information that you recorded with your Required Data to complete the Setup Wizard.
To run the Setup Wizard, log on as either local administrator (which is preferred) or the domain administrator, then double-click the ECTSSetupWizard icon in the directory in which you installed the ECTS. Follow the prompts and provide answers to all the questions and then click the Install button to set up the environment. When the wizard completes, you are ready to verify the installation, as described later in the “Verify Installation” section.
Set Up Manually
You can choose to run the installation scripts manually, which this section describes. Note that you perform the manual setup in the following order: ADAM, SQL Server, then Windows SharePoint Services. Also note that you should log on as either local administrator (preferred) or domain administrator before you begin the setup process.
Run the ADAM Setup Script
To set up the ADAM user store, you need to run a command from the ECTS installation directory (typically My Documents\External Collaboration Toolkit) on the extranet server. You should run the script after you log on as a local or domain administrator.
To set up ADAM, use the following command:
cscript ects_setup_adam.vbs container_name LDAP_port LDAPS_port
Where container_name is the LDAP container name, LDAP_port is the LDAP port number, and LDAPS_port is the LDAPS port number that you recorded with your Required Data.
This script does several things. It:
Run the Database Setup Script
Next, you should set up the SQL Server database that the ECTS will use. You can do this by running another script, which you can find in the ECTS installation directory (typically My Documents\External Collaboration Toolkit) on the extranet server. As before, you should log on as either a local or domain administrator to run the script.
To run the SQL Server setup script, use the following command:
cscript ects_setup_sql.vbs SQL_Server
Where SQL_Server is the name of the SQL Server.
Run the ECTS Setup Script
Finally, you should install and configure the ECTS software on the extranet server. You can do this by running another script, which you can find in the ECTS installation directory (typically My Documents\External Collaboration Toolkit) on the extranet server. As before, you should log on as either a local or domain administrator to run the script.
To run the ECTS SharePoint setup script, use the following command:
cscript ects_setup_sharepoint.vbs ADAMhost container SQL_Server internalURL SMTPHost mailfrom LDAPS_port
Where ADAMhost is the server hosting the ADAM instance, container is the base container for the LDAP instance, SQL_Server is the appropriate SQL Server instance, internalURL is the URL for the internal SharePoint site, SMTPHost is the internal e‑mail host name that SharePoint should use, mailfrom is the e‑mail address from which the mail should come, and LDAPS_port is the port on which ADAM listens for SSL encrypted connections. You recorded all of this information with your Required Data.
After the ECTS is installed and basic configuration is complete, you can verify that Windows SharePoint Services is working as expected.
Following setup, you can take steps to verify that basic things are working as expected. For example, you should be able to see a basic SharePoint site by accessing your internal URL from a browser on your internal network. If you attempt to access the external URL from an external browser, you should see a forms-based authentication page (assuming your firewall is configured as expected).
If you encounter errors, the most likely cause is a mistake in entering the Required Data used to set up SharePoint. If you feel that you might have entered some of the Required Data incorrectly, you can use the undeploysolution.cmd script to remove the ECTS software so you can try again. You can find this script in the installation folder (typically My Documents\External Collaboration Toolkit).
To run the undeploysolution.cmd script, use the following command:
Where internalURL is the URL for the internal SharePoint site. Running this command will remove all traces of the ECTS from your SharePoint environment.
Enable SSL on the External Web Site
To finish up your installation, you need to enable SSL on the external URL of your collaboration site. This will help ensure the confidentiality of information as it traverses the Internet. Note that this step is not necessary to continue setting up the software, but should be completed before you begin using your extranet collaboration site for actual collaboration. If you enabled SSL during installation and deployment, you will not be able to access the external URL until you have installed a certificate.
For information about how to request and install a certificate on IIS, see How to enable SSL for all customers who interact with your Web site in Internet Information Services. Note that you need a certificate only for the external Web site.
Before allowing external users to connect to your collaboration server, we strongly recommend that you use the Security Configuration Wizard (SCW) to ensure that non-essential functionality is turned off on your collaboration server. This will help to reduce the attack surface of your server when it is connected to the Internet. For information about how to install and run this tool, see the SCW Quick Start Guide on the Microsoft Download Center.
For more information about hardening your Windows Server 2003–based system, see the Windows Server 2003 Security Guide.
Microsoft Forefront Security for SharePoint
Now that you are collaborating with people outside your organization, it is important to use an anti-malware solution designed for SharePoint. Microsoft Forefront™ Security for SharePoint provides this capability, well as true file-type and keyword filtering capabilities. For more information, see the Forefront Security for SharePoint 2007 User Guide and Introduction to Forefront Security for SharePoint Best Practices.
After the software is installed and configured, you need to make the Web Parts available, set up the security for the site, and configure how the ECTS works. These topics are covered in the next chapter of this document.